 |
 |
Dear Maarten, we have implemented the VO group /atlas/it and I'm trying to map italian users to atlitXYZ local users at my site. The configuration of users.conf and groups.conf is like the one you suggested, ... but italian users are mapped to "normal" atlas user, not "atlit" users.conf: 1501:atlit001:1350,1307:itatlas,atlas:atlas:atlit: 1502:atlit002:1350,1307:itatlas,atlas:atlas:atlit: 1503:atlit003:1350,1307:itatlas,atlas:atlas:atlit: -------------------------------------------------- groups.conf: "/atlas/ROLE=lcgadmin":::sgm: "/atlas/ROLE=production":::prd: "/atlas/it":::atlit: "/atlas":::: ------------------------------------------------- from gatekeeper.log: LCMAPS 1: 2008-10-20.15:26:28.0000014074.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod LCMAPS 6: 2008-10-20.15:26:28.0000014074.0000000000 : lcmaps_plugin_posix_enf-log_cred(): uid=1083(atlas083):pgid=1307(atlas):sgid=1350(itatlas) LCMAPS 0: 2008-10-20.15:26:28.0000014074.0000000000 : lcmaps_plugin_posix_enf-plugin_run(): posix_enf plugin succeeded LCMAPS 0: 2008-10-20.15:26:28.0000014074.0000000000 : lcmaps.mod-lcmaps_run(): succeeded LCMAPS 7: 2008-10-20.15:26:28.0000014074.0000000000 : Termination LCMAPS LCMAPS 1: 2008-10-20.15:26:28.0000014074.0000000000 : lcmaps.mod-lcmaps_term(): terminating Successfull mapping done Mapping service "LCMAPS" returned local user "atlas083" I don't know what to check... why mapping is done like "pgid=1307(atlas):sgid=1350(itatlas)"? Could it be related to the order of attributes in my proxy? === VO atlas extension information === VO : atlas subject : /C=IT/O=INFN/OU=Personal Certificate/L=Napoli/CN=Alessandra Doria issuer : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch attribute : /atlas/Role=NULL/Capability=NULL attribute : /atlas/lcg1/Role=NULL/Capability=NULL attribute : /atlas/it/Role=NULL/Capability=NULL -------------------------------------------------------------- Thank you Alessandra Maarten Litmaath ha scritto: > Hi Gonçalo, > >> Probably, as you might know, T2 sites have the obligation to guaranty >> some share of resources to local T2 users. Local T2 users are here >> defined as users which via grid will preferable run their jobs in a >> specific T2 site... A local user from my T2 site might be a person >> sitting in the office next to mine or someone from other institution >> in my region. >> >> Batch systems normally guaranty a fair share of resources through the >> association of resource usage to unix groups or unix users. >> Therefore, somehow, T2 sites will have to map these local users DNs >> to specific (and unchanged) unix accounts or groups. This procedure >> is already done for the prd and sgm grid users which are identified >> via specific roles in their FQANs. The problem is that these "local" >> users are not suppose to invoke any specific role at proxy creation. >> >> My question is easy: How do I identify my local users coming to my T2 >> site? >> >> I have thought in mapping these local users DNs to specific pool >> accounts in the gridmapdir directory... I would have to do this by >> hand and hack the cron job which tries to re-use pool accounts... >> >> Is there some more automatic solution for these? > > Yes. There are sites that already recognize local users and give them a > preferential treatment. The distinction would be based on the presence > of a "local" VOMS group as the primary FQAN, so would need cooperation > from the VOs to which the users belong. For example, CMS have defined > VOMS groups per country. A CMS institute may want to recognize those > users that are from the same country. In YAIM's groups.conf: > > ----------------------------------------------- > "/cms/our-country-cms":::our_cms: > "/cms/ROLE=lcgadmin":::sgm: > "/cms/ROLE=production":::prd: > "/cms/ROLE=pilot":::pilot: > "/cms/HeavyIons":cms01:1340:: > "/cms/Higgs":cms02:1341:: > "/cms/StandardModel":cms03:1342:: > "/cms/Susy":cms04:1343:: > "/cms":::: > ----------------------------------------------- > > In users.conf: > > ----------------------------------------------- > 42501:ourcms01:1403,1399:ourcms,cms:cms:our_cms > 42502:ourcms02:1403,1399:ourcms,cms:cms:our_cms > 42503:ourcms03:1403,1399:ourcms,cms:cms:our_cms > [...] > 42550:ourcms50:1403,1399:ourcms,cms:cms:our_cms > ----------------------------------------------- > > A new authorization framework is being developed that should allow sites > to apply site policies without depending on cooperation from the VOs. > -- -------------------------------------------------- Dott. Alessandra Doria INFN sez. di Napoli Complesso Universitario Monte S.Angelo (Room 1H22) Via Cintia - 80125 - Napoli Tel. +39 081 676176 --------------------------------------------------